Shades of Superfish: Lenovo begs users to uninstall its own software due to massive security flaws

Last year, security researchers discovered Lenovo was shipping laptops with the worst security flaw since the infamous Sony rootkit debacle of 2005. Lenovo initially promised that it would avoid shipping all such applications with Windows 10, and declared it would make changes to its own evaluation process to ensure it only shipped cleaner, safer PCs (Emphasis original).

It hasn’t taken the company very long to break that promise. Lenovo has released a high priority security update, informing users that one application it ships, the Lenovo Application Accelerator, has a critical flaw. The notification states:

A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.

The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some consumer notebook and desktop systems preloaded with the Windows 10 operating system. Lenovo is calling for users to remove the application as a result of a Duo Labs investigation that discovered that the update mechanism used in the Lenovo Application Accelerator is fundamentally broken, with no protection against man-in-the-middle attacks. It also contains a flaw that allows for arbitrary code execution on the target machine .

The full report by Duo Labs notes that while one of the two Lenovo update agents was truly hardened against attacks, the complete lack of security around the other “exemplifies the incoherent mess that is the OEM software ecosystem.”

The report continues:

Lenovo’s UpdateAgent was one of the worst updaters we looked at, providing no security features whatsoever. Executables and manifests are transmitted in the clear and no code signing checks are enforced… Lenovo UpdateAgent does not validate signatures of applications it downloads and executes. No attempts are made to enforce the authenticity or publisher for executables retrieved by the updater… Lenovo UpdateAgent does not make use of TLS for the transmission of the manifest or any subsequently retrieved executable files. Executables and manifests can easily be modified in transit.

The report also notes that Lenovo’s Solutions Center is one of the best updaters from a major OEM. Unfortunately, both were shipping out on Lenovo systems for quite some time; Lenovo’s list of affected systems contains 78 laptop versions (though some are within the same product line) and 39 desktops.

Why single out Lenovo?

One point we want to hit head-on is why we’re focusing on Lenovo when every manufacturer had serious flaws. Roughly 15 months ago, Lenovo pledged itself to building cleaner, safer PCs. It declared that those PCs would be ready for Windows 10. It further promised to solicit feedback from “our user community and industry experts to ensure we have the right applications and best user experience. We view these actions as a starting point. We believe that these steps will make our technology better, safer and more secure.”

Here’s the really telling line from Lenovo’s security announcement: The Lenovo Accelerator Application was never installed on ThinkPad or ThinkStation devices. In other words, it wasn’t installed on the company’s business-class product lines; only its consumer-class lines like Yoga and IdeaPad. That’s exactly the same defense Lenovo offered with Superfish. Last year, I stated I would never recommend another Lenovo system until the company offered evidence that it had cleaned up its act and fixed its software evaluation process. The fully hardened Lenovo Solution Center shown above? Lenovo’s own website describes it as: “LSC comes preloaded on systems with Windows 7, Windows 8, Windows 8.1 and Windows 10, 32- and 64-bit, including ThinkPad, ThinkPad Tablet, ThinkCentre and ThinkStation, IdeaCentre, and select IdeaPads. (Emphasis added).

If you own a Think-branded business system, Lenovo takes your security seriously. If you don’t, it doesn’t give a shit. Actions speak louder than words, and the fact that the company is still selling substandard software more than a year after it pledged to improve its security is proof that nothing has changed.

No, the problem isn’t unique to Lenovo. Acer, Asus, Dell, and HP all need to clean their own houses and secure their software, once and for all. Opening users to attacks via installed software should never be considered a cost of doing business. As the Duo report notes, these applications are all considered trustworthy, since they come directly from the manufacturers themselves, meaning they’re included — even on “Signature” PC editions sold by the Microsoft store. This isn’t just a Lenovo issue, and the security report makes that clear. Nevertheless, Lenovo is the only PC company still throwing its consumers under the bus 15 months after a critical security breach. If you’re looking for a laptop, we still recommend looking elsewhere. Just because these flaws aren’t present on Think-branded systems doesn’t mean Lenovo should be rewarded for shipping substandard consumer products.